Reviewing Access Requests for Specific Groups #44942
pnrao1983
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Overview
In specific scenarios, it is crucial to manage resource access requests so that reviewers can only review and approve requests originating from a particular group(s). In this scenario, we'll explore a unique use case where multiple teams or groups share the same requester role, but reviewers want to be able to review and approve requests only from their specific group.
Scenario
Solution
We can leverage the where statement with the
request.system_annotationsfield to address this unique use case. For more details, review the Request Annotations documentation.where: contains(request.system_annotations["groups"], "Customer-Success-Team")Role Definitions:
Requester Role
This role allows users to request access while including their group information in the annotations.
Reviewer Role
This role is configured to allow reviewers to see and approve requests only if they come from users who are members of the group
Customer-Success-Team.This configuration ensures that the approver can only review requests from users in the
Customer-Success-Teamgroup. Thewherecondition checks if the group's system annotation containsCustomer-Success-Team.Summary
By implementing this approach, you can ensure that reviewers only see and manage requests relevant to them while effectively managing access requests within specific groups.
Reference: access-control
Note
If using AzureAD as IDP, ensure the group value is represented by the Group ID and not Group Name
Beta Was this translation helpful? Give feedback.
All reactions